[syslog-ng] syslog-ng buffer and reload

Budai, László laszlo.budai at balabit.com
Tue Mar 28 07:05:08 UTC 2017


your use case is a special one: you know that you won't need any of the
messages stored in the diskbuffer after a reload.

Maybe a --clear-diskqueue/--start-with-empty-diskqueue switch to the reload
command could solve this issue. But with this option you will lose all your
messages that are stored in the diskqueue. What do you think?

Laszlo Budai

On Monday, March 27, 2017, Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi,
> I'm using the disk queue to buffer the writes to elasticsearch.
> I notices the following behaviour:
> When reloading the configuration (`syslog-ng-ctl reload`), syslog-ng stops
> processing incoming messages (they appear as `dropped` in stats) and starts
> emptying the queue. It only starts accepting new messages when the queue is
> completely empty.
> I understand this is probably an expected behaviour, but in the following
> scenario (I just experienced) it poses a problem:
> 1. some application goes bananas logging at zillions of events per second
> 2. syslog-ng queue starts filling up
> 3. crazy app identified: I modify syslog-ng.conf in order to filter out the
>    app
> 4. syslog-ng-ctl reload
> 5. syslog-ng starts dropping all new messages and emptying the queue
> 6. I have to wait for the queue to be empty (which can take a long time)
> Wouldn't it be saner to continue accepting messages when intercepting the
> HUP?
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170328/10c38b94/attachment.html>

More information about the syslog-ng mailing list